NOWSECURE UNVEILS FIRST AUTOMATED OWASP MASVS V2.1 MOBILE APP SECURITY AND NEW PRIVACY TESTING

NowSecure MARI is the industry’s first simple risk score based on millions of assessments that identifies third-party apps vulnerable to PII and IP exfiltration, supply-chain and MiTM attacks and sensitive data theft.

MARI Datasheet featured image 768X480
NowSecure Launches Mobile App Risk Intelligence Solution to Combat Threats to Customer and Employee Security, Safety and Privacy NowSecure Launches Mobile App Risk Intelligence Solution to Combat Threats to Customer and Employee Security, Safety and Privacy Show More
magnifying glass icon

NowSecure Mobile App Risk Intelligence (MARI) Safeguards Mobile App Ecosystems

Posted by

Brendan Hann

Product Marketing Manager
As Product Marketing Manager for NowSecure, Brendan Hann focuses on equipping developers, security professionals and DevSecOps teams with best-of-breed mobile app security skills, tools and resources. His career has primarily been focused on helping organizations deliver innovative, secure applications at scale. Brendan’s track record of success with application and security teams spans NowSecure, Veracode and PayPal.

Mobile apps have become indispensable to modern businesses, yet they present significant risks when not properly secured. NowSecure benchmark data indicates that 85% of apps found in public app stores have security flaws and 70% have the potential to leak personal data. 

NowSecure Mobile App Risk Intelligence (MARI) protects organizations by providing insight around pervasive mobile app risks that jeopardize businesses. By identifying pervasive security, safety and privacy risks in mobile apps from Google Play and the Apple App Store, the MARI solution empowers security, IT operations and Global Risk & Compliance (GRC) teams to make informed decisions about which third-party mobile apps to allow in their mobile ecosystems.

Gain Awareness About Pervasive Risks

Identifying and managing security, safety and privacy risks is critical for safeguarding sensitive data and ensuring compliance with industry regulations. 

NowSecure frequently observes common, pervasive mobile app risks that lead to failures during automated mobile application security testing assessments, ADA Mobile Application Security Assessments (MASA) validations and mobile Mobile App Pen Testing as a Service engagements.

For example, NowSecure expert pen testers frequently encounter some of the same mobile app security and privacy issues across Android apps:

  • 75% of apps have misconfigured cryptographic libraries and often leave sensitive data unprotected.
  • 85% of apps have vulnerabilities stemming from integrated SDKs, which can expose apps to third-party risks.
  • 80% of apps improperly prepare code for release, introducing bugs and vulnerabilities that compromise security post-launch.

While these results underscore the importance of thoroughly and continuously testing mobile apps, they also present risk to individuals who use those mobile apps. An employee using an app that incorrectly encrypts data exposes the organization to real risks such as credential harvesting and stuffing attacks. 

In addition to the risks identified during expert pen testing, NowSecure Platform automated assessments uncover several recurring, impactful vulnerabilities. In 16% to 30% of assessments, we identify the following findings:

  • SSL Configuration Allows Insecure Connections: Improper SSL configurations expose apps to man-in-the-middle attacks.
  • Debuggable WebViews Found in Code: This can allow attackers to access sensitive data or perform malicious actions.
  • Initialization Vector Reused for Encryption: Reusing encryption vectors reduces the effectiveness of encryption, making it easier for attackers to decrypt sensitive information.
  • Hardcoded Cryptographic Keys: Hardcoded keys can be easily extracted, allowing unauthorized access to encrypted data.
  • Insecure Symmetric Encryption Modes: Poor encryption practices make it easier for attackers to decipher communications and data.

These findings highlight areas where development and security teams must focus their efforts in building secure mobile applications. It also demonstrates some of the potential risks to individuals using these apps. 

MARI empowers security, IT operations and GRC teams to make informed decisions about which third-party mobile apps to allow in their mobile ecosystems.

Pervasive risks are also persistent risks! After identifying these risks, mobile DevSecOps teams frequently encounter obstacles in fully remediating them. Persistent risks require special attention to remediate, leaving mobile apps and users vulnerable to attacks. Some of the most persistent issues NowSecure Platform automated mobile application security testing and expert PTaaS identifies include:

  • Context Registered Broadcast Receivers Not Protected with Permissions: This issue leaves apps vulnerable to unauthorized actions from other apps.
  • Debuggable WebViews Found in Code: While often overlooked, this can remain an ongoing issue even after developers believe it has been addressed.
  • Insecure Implementation of WebView SSL Error Handling: Improper error handling can allow attackers to intercept communications.
  • Hardcoded Cryptographic Keys: Even when flagged, removing or properly handling hardcoded keys is a complex task.
  • App Vulnerability to Strandhogg: This vulnerability allows malicious apps to pose as legitimate ones, creating a serious risk to users and data.

Addressing these challenges requires a robust and consistent approach to mobile app risk management. That requires building and managing a safe mobile app ecosystem for employees and partners to use. NowSecure is uniquely positioned to provide the intelligence needed to remove pervasive mobile app risks from the apps you build and to make more informed decisions about the apps to allow in your ecosystem. 

Monitor Apps with MARI

NowSecure MARI offers a comprehensive solution for identifying security, safety and privacy risks in apps. It empowers security, IT operations and GRC teams to proactively manage third-party risk by providing:

  • Comprehensive third-party app risk data: Gain visibility into the security risks associated with apps used within your organization.
  • Security, compliance, and privacy scores: Quickly assess the risk of an app based on a risk scoring system.
  • Bulk risk intelligence for MDMs, SOCs and GRC platforms: Quickly retrieve detailed security, compliance and privacy risk data for apps across your existing systems, streamlining the approach to managing mobile app security risks.

By leveraging the insights and intelligence provided by NowSecue MARI, organizations can achieve the following benefits:

  • Reduce business risk
  • Adapt quickly to security breaches or advisories
  • Ensure or maintain compliance
  • Accelerate onboarding 
  • Benchmark across industries

Contact us today to schedule a demo and learn how MARI can safeguard sensitive data across mobile app ecosystems and protect your organization from security threats.